/dev/random

The new version (5.4) of OpenSSH has been released early this morning. OpenSSH is THE free implementation of the SSH protocol available on common devices and operating systems.

The primary goal of OpenSSH is to allow remote access to hosts for management purpose. But many other features make OpenSSH a real Swiss-army knife for all network and system administrators:

• Multiple encryption methods,
• Files transfer using SCP or SFTP,
• Port forwarding,
• SOCKS proxy server,
• VPN (tunneling),
• X11 forwarding,
• Multiple authentication methods and single sign-on (via the agent-forwarding).

Some OpenSSH release just fix bugs or introduces light changes. But today, the release 5.4 comes with a new exciting feature looking very interesting to me: the “netcat mode”. Quoted from the release notes:

“Added a ‘netcat mode’ to ssh(1): “ssh -W host:port …” This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.”

Netcat can also be compared to a Swiss-army knife at TCP/IP level. It is a multi-purpose tool which allows to read and write data across network connections. Originally, it was a tool available on UNIX flavors but Netcat (or “nc”) is  also available for Windows [Note: the Windows version is often detected as suspicious by common anti-virus softwares]. Netcat lacks of … encryption (if your original data are in clear text) but now, with the brand new OpenSSH, we can pipe data safely!

Example #1: I’m connected via a wild WiFi network or your Internet Service Prodiver does not allow  outgoing traffic via the SMTP port (TCP/25): [Note: In this example and all others below, we assume that both server and client are running version 5.4]

$ ssh -p 443 -W gmail-smtp-in.l.google.com:25 xavier@server.acme.org
xavier@server.acme.org's password:
220 mx.google.com ESMTP a10si9247793bky.86
helo rootshell.be
250 mx.google.com at your service
quit
221 2.0.0 closing connection a10si9247793bky.86
$

Example #2: Let’s open a telnet session to an old switch without SSH support (this time, I’m authenticated using a key pair):

$ ssh -p 443 -W 192.168.254.101:23 xavier@server.acme.org
Trying 192.168.254.101...
Connected to 192.168.254.101.
Escape character is '^]'.

User Name : ^]
telnet> close
$

But you will ask: “What’s the difference with the “-L” option available for years?”. Indeed, for a while, OpenSSH allows port forwarding as in this xample:

$ ssh -p 443 -L 2300:192.168.254.101:23 xavier@server.acme.org

The SSH client will bind to port 2300 on the loopback and forward any incoming packet to the remote IP 192.168.254.101. But they are two constraints with the classic port forwarding method:

• Once the SSH session has been opened and the port successfully binded, you need to use a native client to connect on this port. And such command can be disabled by a local security policy or not installed at all! A common usage is to create a tunnel for POP3 traffic (TCP/110) but a POP3 client will be required and reconfigured to use the localhost/port defined at the command line level.
• SSH must bind a port to the localhost. To bind a port below 1024, you must have root privileges! This can be a problem if the client cannot change the default port. And even if the chosen port is above 1024, traffic can be blocked by local firewall rules.

As OpenSSH connects STDIO to the remote host/port, you are free to type your commands or data, copy/paste them or pipe them to the SSH process.

Example #3: You need to transfer a binary file to a remote server which runs Netcat in listening mode but you don’t have Netcat available on the current computer:

cat binary.jpg | ssh -W netcathost:4000 xavier@server.acme.org

This new “netcat mode” is IMHO a killer feature in this new release of OpenSSH but it should not shadow other changes such as:

• SSH Version 1 support is now disabled by default! After 10-years!
• A ‘read-only’ mode is available to sftp-server.

For a complete review of changes and bug fixes, have a look at the official announce.

Recently, I read a RFP issued by a customer. The main topic focused on a perimeter security but a paragraph mentioned the protection of SCADA environments. I’ve no practical experience with SCADA and I tried to find relevant information about the deployment of security solutions in such environments. Here follows a compilation of information about this technology. This is just an introduction, I’m not a “guru”.

SCADA means “Supervisory Control And Data Acquisition“. It refers to the use of computers to monitor and control an industrial process. From a console (called HMI – “Human Machine Interface“), operators can interact with a bunch of sensors and programmable controllers. To explain shortly, it’s possible to collect information from a sensor (the “Acquisition” phase) or interact with active components (the “Control” phase). Practical examples are: to read the pressure in a pipe and to control the opening of a valve to reduce the pressure. SCADA could be compared (very rough comparison!) with SNMP: You can poll the value of SNMP OIDs from a network devices like a switch or receive traps and change the value of certain OIDs.

SCADA is used in multiple domains: industrial (example: energy production), infrastructure (distribution) or facilities (buildings,  cooling or heating systems, airport luggage handling systems). By reading those examples, you immediately realize that the environments where SCADA components are deployed are really critical. Bad interpretation or unexpected behavior can have major impacts up to the highest level: risk of body injuries or even death! Can you imagine a SCADA environment controlled by hackers? That’s basically the scenario of the latest Die Hard movie. Scaring? But this is not a movie: vulnerabilities have already been discovered for SCADA products!

The different components of a SCADA infrastructure must exchange information via a communication link. In the first generations of products, this was performed over serial or modem connections. Today, the last generation uses (what a surprise!) TCP/IP networks. Ethernet is commonly used but, for longer distance (example: to manager railways infrastructure), communication are based on SONET links. Helas, TCP/IP means also more vulnerabilities. Note that a SCADA infrastructure does not rely on a unique standardized protocol. A lot of them have been developed and understood by most of the manufacturers (good examples are  nice names like IEC 60870-5-101 or 104, IEC 61850 or DNP3). Old protocols are replaced by common networking protocols over IP. The “web madness” also reached the SCADA products manufacturers: more and more web interface are available to manage the components (more friendly interfaces).

What are the risks associated to a SCADA infrastructure?

• First, IP protocols are routed protocols. Packets can be routed/NATed. The SCADA components must be physically separated from any other IP network. Installing a firewall between the organization LAN and the HMI console is not enough with today’s attacks. Of course, any Internet connectivity must be prohibited.
• By introducing web interfaces, manufacturers increase the risks to introduce web vulnerabilities. Check out the OWASP Top-ten for more information about risks associated to web applications.
• DoS (“Deny of Services“) attacks. Attackers could try to interrupt communications between the components or flood a component with false-positive information.
• Common mistakes are the lack of controls and the principle of “security by obscurity”. SCADA protocols are obscure protocols but it does not mean they are not vulnerable.
• Network outages: components must be able to exchange information in real-time without any interruption.

Those issues can be classified in two main types of threats: Unauthorized accesses to a control station (HMI) or injections of rogue packets on a SCADA network.

How to protect a network carrying SCADA protocols? First, physically disconnect the network segment used by the SCADA components from the rest of your network. Still today, too many SCADA devices are directly available on the Internet. Protect against inappropriate physical access to the network. Switches must be properly secured: all unused ports must be disabled, port-security must be enabled (example: by learning the MAC addresses). Perform end-point authentication for all devices connected to the SCADA network (using VMPS, 802.1x or any other solution). If packets must cross other segments (business or technical requirements), encrypt all the traffic using a VPN or a SSL tunnel.

At host level (the HMI  or console), restrict physical and logical access to the console. Prevent any communication with another network. Those hosts must be dedicated to the SCADA applications and never exchange e-mail, web traffic which are common sources of malwares and viruses. Local security must be enforced using anti-virus, anti-malwares or host-based IDS. Another good practice is to work with while lists of applications. Also, automatic patching can be disabled to prevent any unexpected reboot or problem. Patches must be validated first on a test system before being installed in the producion environment during defined intervention time-windows.

Like other networks, IDS and firewalls can be deployed. Intrusion Detection System could detect suspicious or malformed SCADA packets injected on a network. On Scadapedia, there are SCADA signatures ready to be used with Snort, a well-known open source IDS project. Signatures cover the following protocols: Modbus/TCP, DNP3 and ICCP. Some firewalls solutions exists for filter SCADA protocols. Those are commercial products and often based on a Linux kernel with iptables and a bunch of specific rules. Finally don’t forget to add some visibility on top of your SCADA network:

• Monitor the components health using a monitoring tool.
• Collect information about your network. Restrict the amount of trafic to the minimum to keep the network performant.
• Monitor the network response time and availability.

Another interesting project is called the SCADA Honeynet Project. It simulates several industrial environments. The ISA (“International Society of Automation“) developed a standard (ISA99) called: Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program. It  addresses manufacturing and control systems whose compromise could result in situations like: the safety of public or employee, loss of confidential information, loss of profit, impact of the national security.

To conclude,  protecting a SCADA network is like any other network: the CIA-principle must be respected. But with two main differences:

• Specific “obscure” protocols not supported by the common security devices (deployed solutions must be adapted to the SCADA protocols).
• Incident can have major impacts on infrastructure outside the IT infrastructure or on people.

Some news have been disclosed about the next release of Ubuntu called “Lucid Lynx“. This new distribution is logically planned for April 2010 and will introduce, amongst a long list of new features, the “desktop socialization”. Mark Shuttleworth, the founder of Ubuntu, explained in an interview that the desktop will integrate new tools to interact with social networks. This has been relayed by TheRegister.

Ubuntu will allow access via the desktop to Twitter and Facebook, the big-players in the today’s social networks landscape. The goal is to allow users to update their status and get notifications without opening a browser. If it looks nice on paper, there are some security concerns.

On a pure end-user point of view, it sounds logical to offer more features like access to social networks directly on the desktop. But what about security? As always it is a question of security against usability. The new Ubuntu feature was the origin of a thread on the Full-Disclosure mailing list.

Of course, the new Ubuntu desktop will access the social networks only based on the user decision. The user will have to configures his credentials. But once this initial configuration ready, what will happen? There are chances that the user will store the credentials on the system to avoid retyping his password all the time (we are all lazy people!). The boundary between good (offline) and evil (online) will be further reduced. By opening a browser, the end-user “realizes” that he’ll be online and (maybe) adapt his behavior. Today, everybody is connected all the time to the Internet using broadband or corporate connections but I like to fact to perform an “action” to go online. For the Internet veterans like me, it was like dialing to your ISP with a modem to access the Internet.

Social networks will be more and more a target of choice for the bad guys. Risks will be more important of data received and directly processed at the desktop level. Modern browsers offer much more security features (read: I don’t say they are bullet-proof ) than the desktop and more add-ons could greatly increase the security (like the Firefox add-on NoScript). My browser (as other critical network applications) runs in a restricted environment (sandboxes). It’s always good to apply the principle of privileges separation!

Finally, some tools integrated with the desktop does not have all the nice feature of a browser like the compatibility with SOCKS proxies! In Ubuntu 9.10, the instant messenging client Pigdin was replaced by Empathy. This one does not support SOCKS proxies by default. Passing your traffic thru a SOCKS/SSH tunnel could be useful when you need to connect in an hostile environment like a security conference. Here follow a screenshot of the future interface:

(Source: korben.info)

In security, when you have to restrict access to “resources” (websites, files, IP addresses, ports, etc), you can deploy while or black lists. The term “white list” refers to a list of resources which are allowed or granted. At the opposite, a black list refers to resources which are denied or unrecognized.

Both methods have pro and cons. While implementing a white list, the default action will be to deny access to all unknown resources. This imposes a strong management of your white list(s). Otherwise, your users could have their access to required or valid information denied or applications prohibited to access some valid resources.

In case of a black list, everything is allowed by default and access is restricted on a case by case. Your users or applications will always have access to their resources but also to potential dangerous ones. Management of a black list will be easier but you will always be “behind the times” to block malicious resources. Which one if the best between the two access methods? A best practice is  use the “least privilege” principle to restrict access to resources. Quoted from Wikipedia, least privilege is defined as:

“In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.“.

That’s why maintaining white lists is a pain and a recurrent process. To not reinvent the wheel, why not use online white lists? If you plan to restrict access to files and applications using a while list, consider the following new tool.

The ISC (“Internet Storm Center“) provides a direct access to the NIST National Software Reference Library database. This database is a collection of digital signatures of well-known software applications (The current database contains nerlay 40 millions of records). Provide a MD5, SHA1 or a file name and you will receive useful information. Check out the search interface here.

Note that the database is also available via DNS request! Very convenient to check your files directly from a script. Perform DNS queries on md5.dshield.org. Here is an example:

$ dig +short 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org TXT
"cmd.exe | NIST"

Note: If you need to test a complete system, NIST has a very convenient bootable CD ISO for collecting metadata, hashing and storing in NIST NSRL format. There are also images of CD with the hashes databases available.

How to use this database? Via the following script, you can search for files created on a file system and query the online database:

$ find /data -type f -ctime 1 -exec dig -short /bin/md5sum {} \; | while read L
do
     set $L
     dig +short $L.md5.dshield.org TXT
done

The database must be considered as a while list. It contains only signatures of “good” applications and no malwares or other suspicious tools. But some tools can be detected as dangerous in some environments (Nmap is a good example). This could be interesting to implement this security check in parallel to a host based IDS like OSSEC.

After a great first edition in 2009, BruCON will be back in 2010! Two days of trainings and two days of talks.

The Call for Papers (CFP) has been announced and will remain open until 30th of April 2010. Submit directly your propositions via the dedicated tool, here.

Secunia is a security company which, amongst other activities, maintains a huge database of vulnerabilities. On their website, they describes their business like this:

“Secunia collects, evaluates, verifies, and analyses security information. This security information is available through our databases and is distributed to our customers, segmented according to their specific business needs.“.

Their vulnerability database is available for all visitors for free. They also offer paying business services like VIF (“Vulnerability Intelligence Feed“) and some information are available only for the subscribed customers. The Secunia website is one of my reference site to find vulnerabilities and the free version offers enough useful information to be kept up-to-date.

But we are all annoyed by recurrent tasks: A daily visit to Secunia is so boring! (They don’t provide RSS feed for free anymore since the beginning of 2009) Why not get an overview of the new vulnerabilities in our internal monitoring tools? A SIEM (or a Log Management tool) is able to collect and normalize events from non-heterogeneous sources. Why not collect the Secunia advisories and store them in the SIEM events database? The “S” means “Security”, an updated feed of advisories could certainly by a plus:

• Reports could be generated to provide a list of advisories for a given period of time.
• Matching the devices names & types with the vulnerabilities could increase the classification of assets based on the vulnerabilities (severity).
• Real-time alerts based on specific vulnerabilities.

Thanks to the original script of a colleague (Thanks Bram!), I developed a new Perl script which stores the Secunia vulnerabilities into a MySQL database and, optionally, to a flat file. [Note: between the first version of this article and the publication, Secunia changed the HTML presentation of the vulnerabilities. I updated the script but more changes may occur in the future!] Many SIEM products could easily read files from a file system and “learn” the format to create normalized events. The events flow will look like:

(Click to enlarge)

The Perl script requires the following modules:

     LWP::Simple
     DateTime::Format::Strptime
     DBI
     HTML::TreeBuilder
     HTML::Element
     HTML::TableContentParser

At the beginning of the script, the MySQL information can be specified to match your environment (user, pass, dbname, etc). A small database must be created with only one table. The schema is:

mysql> describe advisory;
+------------+--------------+------+-----+---------+-------+
| Field      | Type         | Null | Key | Default | Extra |
+------------+--------------+------+-----+---------+-------+
| id         | int(11)      | NO   | PRI | NULL    |       |
| date       | date         | NO   |     | NULL    |       |
| severity   | varchar(20)  | NO   |     | NULL    |       |
| product    | varchar(100) | YES  |     | NULL    |       |
| impact     | varchar(100) | YES  |     | NULL    |       |
| source     | varchar(100) | YES  |     | NULL    |       |
| descr      | varchar(256) | YES  |     | NULL    |       |
| url        | varchar(256) | YES  |     | NULL    |       |
| popularity | int(5)       | YES  |     | NULL    |       |
+------------+--------------+------+-----+---------+-------+
9 rows in set (0.01 sec)

mysql>

The Perl script accepts the following arguments:

./secunia_parse.pl -h
Usage: secunia_parse.pl [-h] [-d] [-o outputfile] [-a] [-s separator ]
                       [-m yyyy-mm-dd]
Where:
        -h              : Display command line usage.
        -d              : Enable debug mode (verbose output).
        -o outputfile   : Write advisories to a file (1/line).
        -a              : Append to the outfile file if already exists.
        -s separator    : Field separator for the logfile (default: "|")
        -m yyyy-mm-dd   : Parse advisories from today to the given date.

By default, the script fetches all new advisories if not yet present in the DB. If an advisory is already present, it will be updated (example: if the critical level has been raised or lowered). To prevent a flood of requests, only the first 100 pages of the Secunia history will be parsed. The “-m” flag is useful to force a fetch of advisories from the given date up to today’s date.

The script saves the vulnerabilities in the MySQL DB. By using the flag “-o” we can create (or append) the advisories to a flat file. The format will be:

38280!20100121!Less critical!Drupal Control Panel Module 6.x!\
  Cross Site Scripting!From remote!Drupal Control Panel Module Script\
  Insertion Vulnerability!http://secunia.com/advisories/38280!164

Important disclaimer: My Perl script has been developed for internal usage only. I couldn’t be held responsible for any mis-usage. As mentioned on the Secunia website, all information available on the website is copyrighted:

“Terms & Conditions for usage of the Web site and content

These terms and conditions apply to anyone using Secunia, visitors as well as customers.

Distribution, publishing, or reproduction of any information from this site is strictly forbidden without the written permission from Secunia. All content is copyrighted by Secunia. You may however use Secunia as a reference, as long as you clearly state Secunia as the source of information and link to the specific information at Secunia.”

Once the vulnerabilities log file is populated on a regular basis (an hourly crontab entry should be enough), your log management solution is able read the new events. Here follow two examples using different tools available (one free and one commercial).

ArcSight has a catalogue of powerful solutions to build a SIEM environment. These tools are able to learn unknown file formats using “FlexConnectors”. I wrote my own FlexConnector which parses the Secunia events and converts them into CEF (“Common Event Format”), the standard event format developed by ArcSight. Once collected and indexed, it’s possible to use the Secunia events like any other event type like showed on the picture below.

Secunia Events in ArcSight (click to enlarge)

If you’re interested, the FlexConnector is available here. It is provided “as is” without any warranty.

The second example is based on OSSEC. This open source tool has many interesting features. It’s not only an HIDS (“Host based Intrusion Detection System“), it can also monitor the activity of a system by reading log files. Based on patterns, OSSEC is able to take actions (basically an alert via e-mail or Syslog, or an triggered script). If you want to learn more about the OSSEC basics, I recommend you to have a look at the presentation of Wim Remes performed during the last FOSDEM.

To parse the Secunia event, the configuration is straight forward (based on a standard OSSEC installation). Configure OSSEC to process a new log file in your ossec.conf file:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secunia_parse.log</location>
</localfile>

New alerts are defined in your local_rules.xml file (tip: add your customizations in this file only. It will remain untouched in case of an OSSEC upgrade). The firs rules will match a “highly critical” vulnerability and the second one will match a “highly critical” vulnerability affecting the Red Hat Linux distribution:

<rule id="100001" level="8">
    <description>Highly critical Secunia event</description>
    <decoded_as>secunia-parse</decoded_as>
    <status>Highly Critical</status>
</rule>

<rule id="100002" level="9">
    <description>Highly critical Red Hat vulnerability</description>
    <if_sid>100001</if_sid>
    <match>Red Hat</match>
</rule>

Example of alert generated by OSSEC when the rules above are matched:

** Alert 1266240348.11157: - local,syslog,
2010 Feb 15 14:25:48 zeroday->/var/tmp/secunia_parse.log
Rule: 100002 (level 6) -> 'Highly critical vulnerability affecting Debian'
Src IP: (none)
User: (none)
38607|20100215|Highly critical|Red Hat Enterprise Linux AS 3,Red Hat Enterprise Linux AS 4,Red Hat Enterprise Linux Desktop 5,Red Hat Enterprise Linux ES 3,Red Hat Enterprise Linux ES 4,Red Hat Enterprise Linux WS 3,Red Hat Enterprise Linux WS 4,RHEL Desktop Workstation 5RHEL Optional Productivity Applications (v. 5 server)|System access|From remote|Red Hat update for openoffice.org|http://secunia.com/advisories/38607|88

It’s easy to get notified when vulnerabilities are detected for your favorite applications and operating systems!

Deploying and maintaining a SIEM is a complex and recurrent process. Feeding your SIEM with extra sources like Secunia could greatly increase the visibility required to maintain your infrastructure at the highest security level.

To surf the web, you need a specific application: a browser. Today, this peace of software is delivered by default with all operating systems and becomes more and more used, even for non-related Internet stuff (Lot of applications or devices are manageable using a web interface). For some companies, the browser will even replace the operating system in a near future. Think about Chrome OS from Google… It’s mainly an OS booted to launch a Google Chrome browser!

Modern browsers are fully customizable. Like operating systems, their look can be changed, extra features can be added using plug-ins or toolbars. They can also be configured using different levels of security. Briefly, the browser reflects the profile of its owner.

When people are online, one of their main concerns is to protect their anonymity. Using some tools and safe behaviors, it’s possible to stay more or less anonymous. Are you sure?

Panoticlick is a project of the Electronic Frontier Foundation which tries to identify browsers. How does it work? When you visit a webite, your browser sends a lot of useful information to the server. The most common is called the user-agent. Example:

     Mozilla/5.001 (windows; U; NT4.0; en-US; rv:1.0) Gecko/25250101

But lot of interesting data are also available like characters enconding, timezones, etc. Based on all these details given by your browser, Panopticlick is able to compute some kind of “fingerprint” using an algorithm explained here. Basically, it’s the same method as the one used to identify people based on measures of their postal code and birth date (this is called “entropy“).

The problem with this method: visitors can be potentially identified by their browser when they visit a website. By using personal information like geographical location, language, time zone, visitors of some websites could become nice targers of marketing actions or change access to the data (restriction like geo-IP localization).

To test your browser, click here.

Priorities are a common parameter in applications. Examples are multiple. In support applications, priorities are used to define the urgency of the reported problem. When you configure softwares, priorities may help to re-order similar actions. In protocol specifications, priorities are also used to perform decisions (routing protocols are a good example) In short, priorities are everywhere!

Did you ever notice that the order of priorities is often depending on the application? Some developers use the priority 1 (one) as the highest while others as the lowest priority. In a given context, two identical rules with respective priorities of “10″ and “20″: Which one will be processed first? Often, you will have to refer to the documentation!

First example, the MX (“Mail eXchange”) in a domain zone. The MX record with the lower priority will be used first:

rootshell.be.		3600	IN	MX	10 mail.rootshell.be.
rootshell.be.		3600	IN	MX	20 mx1.nikita.cx.
rootshell.be.		3600	IN	MX	300 spammers.go.away.

A second example? In the BGP4 protocol. At a given step, the route selection is performed also depending on a priority (called “weight” in this case).

“In the latter case the route selection process moves to the next tie breaker. While LOCAL_PREF is the first rule in the standard, once reachability of the NEXT_HOP is verified, Cisco and several other vendors first consider a decision factor called WEIGHT which is local to the router (ie not transmitted by BGP). The route with the highest WEIGHT is preferred“.

OTRS, a popular open source ticketing system, uses priorities from “1″ (lowest) to “5″ (highest).

In those three examples, we see that the priorities order is different. As everything is standardized in information technology, why not the definition of priorities?

I’m back from my daily visit to the FOSDEM. This two-days event organized in Brussels hit the 10th edition! Congratulations! I attended FOSDEM for several years and the success is continuously growing. This is good! It means that the interest in free software is growing too! Even better, like any similar event, it is an excellent place to meet “IRL” (“In Real Life“) your friends and the developers of your favorite applications or operating systems.

I joined the conference place around 9:00am. It was impressive to see so much geeks already converging to the same place in a foggy Sunday morning! My first selection in the huge-number of tracks was about “Linux distribution for the cloud” by Peter Eisentraut. Cloud computing remains a hot topic. Peter explained what is the cloud (and once again a new definition of the “cloud”!) and explained how Linux distributions could take advantage of it. Linux distributions are made to provide compilation of useful tools to the users. That’s also the goal of clouds. What are the implications of free software used in the cloud. The presentation was not as expected (“how to build a cloud service based on free software”), I was a bit disappointed.

The second talk was given by Marius Nuennerich. The topic was an “Introduction to FreeBSD“. FreeBSD is an operating system which offers nice features. I learned that many different big organizations like Yahoo!, bank, military organizations are using FreeBSD. Parts of the source code have been re-used in many commercial products (MacOS, Cisco, Juniper, …). The code is released under the BSD license and is so simple compared to other types of licenses! Lot of questions popped from the audiance regarding the license model and the discussions slided smoothly from a presentation of the operating system to something more “legal”. Time was out to deeply cover all the other nice features of FreeBSD like the jails and the file-system encryption. But the talk was instructive. I like the quote of Marius:

“You cannot escape from a FreeBSD jail! It’s like a … jail“

My next two tracks were much more popular and presented in the biggest room (“Janson”). Andrew Lewman presented the Tor project (“The Onion Router“). It is a well-known project which increases anonymity of users traffic on the Internet. Everybody may requires anonymity on the Internet: from the end-user to military infrastructure or human-rights defenders. The principle behind Tor was explained (routing packets through virtual circuits up to the end-node). There are also plenty of tools to make Tor easier to use (proxies, virtual machines, live CD, etc). As Tor protects the user anonymity, it’s difficult to information about the users. Anyway, a site (metrics.torproject.org) tries to gather some statistics.

Finally, my last track was performed by Andrew Tanenbaum himself. He spoke about MINIX, an operating system designed to be highly reliable, flexible, and secure. “Andy” is an excellent speaker and gave an presentation of his baby. He started with this quote:

“If God wanted software to be reliable, he wouldn’t have created Reset buttons“

This is so true! The MINIX fundamentals were reviewed and how it can provide this excellent reliability. I installed AmigaMINIX years ago and was happy to receive a prompt but only basic commands like ‘ls’, ‘cp’ worked. Now, the OS looks much more mature and has enough tools to start using it. To be investigated when I’ll have some free time (on my todo list).

And as usual, lot of stands with all your favorite flavors of operating systems and applications! The one of RepRap was impressive with their 3D printers in demo.

An excellent edition with a strong organization (mandatory to satisfy thousands of visitors during two days!) Some pictures of the event are available on Flicker and see you next year!

Yesterday, I received the e-mail below, forwarded by a friend. Usually, I don’t react on such e-mails (who do not receive daily PowerPoint files, jokes or funny messages in his mailbox?). But this time, it was quite realistic.

This is  a letter sent by a Grandma to her bank. There are so realistic facts about the security procedures that I’ve to share it with you. Many allusions to methods used by financial institutions…

The original text was in French (original text here) and was translated in English (my apologize for the approximate translation of some sentences)

Dear Sir,

I would like to thank you for having refused my check that would have allowed me to pay the plumber last month. By my calculations, three nanoseconds elapsed between the presentation of the check and the arrival of the funds on my account. I refer, of course, to the automatic monthly deposit of my pension (which occurs, I must admit, for only eight years). I must also congratulate you for the debit of 30 EUR from my account for the inconvenience caused to your bank. This incident prompted me to review the way I’ll management my finances.

I noticed that whereas I personally answer your calls telephone and letters, I am confronted with the impersonal, demanding and programmed entity of your bank. Starting from today, I decided to deal only with a human person. The monthly mortgage loan will no longer be automatically transferred but will arrive via checks addressed in a confidential way to a designated employee who will be selected according to my own criteria. Be warned that any other person taking care of my letters will be considered as a violation of postal regulations.

You will find enclosed an application form that must be completed by the designated employee. It contains eight pages. I’m sorry, but this is the only way to learn personal details about your employee as the bank knows about me. There is no alternative. Please note that all pages about medical records must be countersigned by a notary, and the mandatory details of his/her financial situation (income, debts, assets and liabilities) must accompanied by relevant documents.

Then, at my convenience, I will issue a PIN code for your employee. He/she must use this code during each appointment. Unfortunate that code will not contain less than 28 digits but, again, this is based on the number of keys that I have to press to access your bank phone services. Let me develop this procedure.

When you call me, press the buttons as follows: Immediately after dialing the number, please press star (*) to select your language.
Then 1 for an appointment with me.
The 2 for questions related to late payments.
The 3 to transfer the call to the living room.
The 4 to transfer the call to the bedroom.
The 5 to transfer the call to the toilet.
The 6 to forward the call to my mobile if I am not at home.
The 7 to leave a message on my PC. A password will be required. This password will be communicated at a later date to the authorized person mentioned above.
The 8 to return to the main menu and listen to new options.
The 9 to any generic question or complaint. There are risks to be put on hold.
The 10, again to select the language. This may increase the waiting time but relaxing music will be played during this time.

Regrettably, but again following your example, additional charges will be levied to cover the installation of equipment required by this new procedure. May I wish you a happy, albeit very slightly less prosperous new year?

Respectfully,
Your humble customer.